Question to those who use UFW/GUFW as VPN killswitch

Discussion in 'privacy technology' started by guest, Feb 23, 2015.

  1. guest

    guest Guest

    I've read a few guides regarding this and all of them mentioned that if you disconnect from your VPN server and want to re-connect, you'll need to temporarily disable UFW or else you won't be able to use the internet at all, including to connect to the VPN server. Is this true?

    Also, is it possible to write app-specific rules instead of applying a system-wide rule? Thank you for the answers.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Just use Adrelanos' VPN-Firewall: https://github.com/adrelanos/VPN-Firewall

    You specify the IPs of the VPN servers that you're using, so you can reconnect to them if the VPN fails.

    If you like, you can use the iptables-persistent package to make the rulesets persistent. Once you become a little familiar with the format, editing /etc/iptables/rules.v4 and /etc/iptables/rules.v6 is not too hard. The rulesets that VPN-Firewall gives you are solid starting point.
     
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Ufw allows you to setup per app rules but it's actually the same as usual port based rules, they are internally transferred to port based rules by /etc/ufw/application.d/

    If you want to fully control each app like Windows, I think only way will be directly edit iptables with --pid-owner but its problem is its PID based, so to achieve Windows like control you have to dynamically generate rules which Droidwall does on Android. I don't know if there's any app which do this on Linux.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    The UFW part is how I have total control over my system. Even though several of my vpn providers have excellent clients I still use UFW as my personal stop gap for any unseen client issues. I use UFW along with the clients. To me its worth the five seconds of my time while bringing up my linux host each session. Since you are asking about UFW it must mean you are on linux as well. The vpn tunnel will leave your machine on what your system calls tun0. So, simply connect via your client or openvpn network manger. Once the connection is made then terminal ufw to a tun0 ONLY rule. In other words NOTHING leaves or comes in unless its going through tun0.

    What Mirimir suggested would work too. I use wayyyyy too many servers to be bothered with entering the IP of each into my firewall as he describes. I am somewhat unique in how many servers I connect to. If you are interested I can post the ufw ruleset I use. Its basically one rule that allows ONLY tun0 and ONLY on IPV4. I can enable and disable ufw in less than 5 seconds.

    One added bonus is that this approach isolates my "hobby" machine from all other devices on my network. INTRA-net has some dangers as well.
     
  5. guest

    guest Guest

    @mirimir
    Thanks. I'll look into it.

    @Yuki2718
    That's unfortunate to know. :(

    @Palancar
    I'm not really in Linux environment. Just tested a few distros in VMs and while I'm at it, why not starting to play around with this as well? I was wondering if it is possible to keep the firewall enabled while the user locks up system connections if s/he uses a VPN. What if the user forgot?

    Pardon my silly newbieness, but isn't tun0 is the MAC/physical address of the network device?

    I'll be glad to get enlightenment about the rules so I can get the image of how am I supposed to configure it. Thanks. :)
     
  6. guest

    guest Guest

    Welp, I managed to pull this off to some extend. I put these commands in the terminal:

    Code:
    sudo ufw disable
    Then...

    Code:
    sudo ufw default deny incoming
    sudo ufw default deny outgoing
    Then...

    Code:
    sudo ufw allow out on tun0 from any to any
    And lastly...

    Code:
    sudo ufw enable
    It surprisingly worked, as I thought I needed to replace "tun0" with the VPN's interface name, which I don't even know what this was talking about. From a simple test I couldn't access the web without first establishing connection to the VPN server. And after disconnecting from the VPN I couldn't connect to the VPN server as long as the firewall is enabled. Now I'm waiting for Palancar's rule to compare with what I've got. :)

    BTW, I took a look at Adrelanos' VPN Firewall. Considering I'm completely clueless about Linux I don't know what I'm supposed to do with this. I previously thought it was an app package. :confused:
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    In Linux, tun0 is the name of the first virtual tunnel interface (with the rest being tun1 etc).
    Yes, it isn't really that hard. VPN-Firewall basically does that, and also allows traffic to your VPN server(s) and LAN(s).
    It's just a shell script that adds the iptables rules.
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    It sounds like you basically have it down. Remember that I use this along with a really great linux vpn client. I know you said you are just getting started with linux so I won't overwhelm you. For quite some time I didn't use any vpn providers' clients because I wanted to learn to configure the connection myself so I understood what was going on. That too was not that tough and after using those semi-manual configs for awhile I then started using the clients. Still, as mentioned above I will NEVER use someone else's client and not cover a broken connection on my own. Paranoid maybe, but a full out leak could "sink my battleship" if you know what I mean. Not so much here.

    Try this simple command in terminal: sudo ufw status verbose and you should see the following: active, logging off (my preference), outgoing and incoming blocked, and tun0 (I specifically make sure ipv6 is off and only allow tun0 on IPV4).

    There is more than one way to skin a cat! I used to do that with the windows firewall especially,and my guides described how to do it. I actually help beta test the linux client network locks so I purposely need to be able to drop ufw often. A good linux vpn client will actually do everything we are discussing here. I have not seen a leak in the one I use and its acid tested personally semi-weekly. Even so I still run my personal rig as if someday it might betray me. That means ufw as discussed above.
     
  9. guest

    guest Guest

    Thanks for the help folks. :thumb:

    Yes, I saw in the status that both incoming and outgoing traffics are blocked whilst outgoing traffic through tun0 is allowed. It's just my personal taste but I block all inbound connections as I don't need to allow it. So judging from what others have said, it looks like I've done it right.
     
Loading...